Hello Knut,
ok, but the data transfer from the ftp-server does originate from port
20. So why can´t I just tell the firewall to accept packets from the
ftp-server which originate at port 20 and are targeted to my client?
After reading a bit through the SuSEfirewall2 script I found that such
a rule is indeed inserted:
from #SuSEfirwall2 status
assuming the client has 10.1.1.1 and the ftp-server 192.168.0.1):
0 0 ACCEPT tcp -- * * 10.1.1.1
192.168.0.1 state NEW,RELATED,ESTABLISHED tcp dpt:20
0 0 ACCEPT tcp -- * * 192.168.0.1
10.1.1.1 state RELATED,ESTABLISHED tcp spt:20 flags:!0x16/0x02
Now if I insert a similar rule just without the flags:... part:
0 0 ACCEPT tcp -- * * 192.168.0.1
10.1.1.1 state RELATED,ESTABLISHED tcp spt:20
Then it works. What is this flags... thing for?
--
Best regards,
André mailto:Andre.Saenger@xxxxxx
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here